Two critical flaws in Magento – Adobe’s e-commerce platform that is commonly targeted by attackers like the Magecart threat group – could enable arbitrary code execution on affected systems.
Retail is set to boom in the coming months – between this week’s Amazon Prime Day and November’s Black Friday – which puts pressure on Adobe to rapidly patch up any holes in the popular Magento open-source platform, which powers many online shops.
The company on Thursday disclosed two critical flaws, six important-rated errors and one moderate-severity vulnerability plaguing both Magento Commerce (which is aimed at enterprises that need premium support levels, and has a license fee starting at $24,000 annually) and Magento Open Source (its free alternative).
The most severe of these include a vulnerability that allows for arbitrary code execution. The issue stems from the application not validating full filenames when using an “allow list” method to check the file extensions. This could enable an attacker to bypass the validation and upload a malicious file. In order to exploit this flaw (CVE-2020-24407), attackers would not need pre-authentication (meaning the flaw is exploitable without credentials) – however, they would need administrative privileges.
The other critical flaw is an SQL injection vulnerability. This is a type of web security flaw that allows an attacker to interfere with the queries that an application makes to its database. An attacker without authentication – but also with administrative privileges – could exploit this bug in order to gain arbitrary read or write access to a database.
Adobe also issued patches for various important improper-authorization vulnerabilities, which occur when an application does not properly check that a user is authorized to access functionality — which could ultimately expose data. These include a flaw that could allow unauthorized modification of Magento content management system (CMS) pages (CVE-2020-24404), one that could enable the unauthorized modification of an e-commerce business customer list (CVE-2020-24402) and two that could allow for unauthorized access to restricted resources (CVE-2020-24405 and CVE-2020-24403).
Another important vulnerability stems from an insufficient validation of a User Session, which could give an attacker unauthorized access to restricted resources (CVE-2020-24401).
For all of the flaws above, an attacker would need to have administrative privileges, but wouldn’t need pre-authentication to exploit the flaw, according to Adobe.
Specifically affected are Magento Commerce, versions 2.3.5-p1 and earlier and 2.4.0 and earlier; as well as Magento Open Source, versions 2.3.5-p1 and earlier and 2.4.0 and earlier. Adobe has issued patches (below) in Magento Commerce and Magento Open Source versions 2.4.1 and 2.3.6, and “recommends users update their installation to the newest version.”
The update for all vulnerabilities is a priority 2, meaning they exist in a product that has historically been at elevated risk – but for which there are currently no known exploits.
“Based on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for example, within 30 days),” according to the firm.
Indeed, Magento has had its share of security flaws over the past year. In July, Adobe fixed two critical vulnerabilities and two important-severity flaws that could have enabled code execution and a signature-verification bypass. And in April, Adobe patched several critical flaws in Magento, which if exploited could lead to arbitrary code execution or information disclosure.
The issue also comes after Magento 1 reached end-of-life (EOL) in June, with Adobe making a last-ditch effort to urge the 100,000 online stores still running the outdated version to migrate to Magento 2. E-commerce merchants must migrate to Magento 2, which was released five years ago.